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...SPECIFICATION recent usage. 

In one optional embodiment, the nodes of the network are organized into 
a hierarchy of groups. In this embodiment, the memory subsystems 
32a-32c can include a hierarchy manager that provides hierarchical 
control for the distribution of data. This includes controlling the 
migration controller , and policy controller , which are discussed in 
detail below, to perform hierarchical data migration and load 
balancing, such that data migrates primarily, between computers of the 
same group, and passes to other groups in hierarchical order . 
Resource distribution is similarly managed. 

FIG. 3 illustrates in more detail one shared memory subsystem. . . 
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...SPECIFICATION storing object information thereon. 

OAM 27 includes 0AM Storage Management Component (OSMC) 28 and Library 
Control System (LCS) 29. OSMC 28 is connected to the LCS 29, to the OSR 
23 an object storage hierarchy based on a specified storage management 
policy . OSMC 28 management includes determining where objects are to be 
stored, moving objects within an object storage hierarchy , managing 
object backup, and determining object expiration. LCS 29 is connected to 
the OSR 23, the configuration tables 26, and to the system controller 
17 of the automated optical disk library 1. LCS 29 reads and writes 
objects to optical disks, manages volumes storing those objects, and 
controls the system controller 17. 

The second level storage 31 includes DASDs DIR 32, STORE 33, and 
Configuration Database. . . 
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OAM 27 includes OAM Storage Management Component (OSMC) 28 and Library 
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Control System (LCS) 29. OSMC 28 is connected to the LCS 29, to the OSR 
23. . . 

.is to manage an inventory of hundreds of millions of objects within an 
object storage hierarchy based on a specified storage management 
policy . OSMC 28 management includes determining where objects are to be 
stored, moving objects within an object storage hierarchy , managing 
object backup, and determining object expiration. LCS 29 is connected to 
the OSR 23, the configuration tables 26, and to the system controller 
17 of the automated optical disk library 1. LCS 29 reads and writes 
objects to optical disks, manages volumes storing those objects, and 
instructs the system controller 17. 

The second level storage 31 includes DASDs DIR 32, STORE 33, and 
Configuration Database... 
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A principal cache management policy is the preservation of cache 
coherency. Cache coherency refers to the requirement that any copy... 

...modified location in a write-back cache. In computer systems where 

independent bus masters can access memory, there is a possibility that 
a bus master, such as a direct memory access controller , network or 
disk interface card, or video graphics card, might alter the contents of 
a. . . 

...cache. When this occurs, the cache is said to hold "stale" or invalid 
data. In order to maintain cache coherency, it is necessary for the 
cache controller to monitor the system bus when the processor does not 
own the system bus to see if another bus master accesses main memory. 
This method of monitoring the bus is referred to as snooping. 
The cache. . . 
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. . . G06F-012/10 

...SPECIFICATION only a logical address cache is present {i.e., no virtual 
address cache) then its controller will have to decide whether an 
existing pointer is being destroyed or a new one is being created, i.e., 
the controller will have to support the Read-modi fy-write feature. Thi 
overhead will degrade the performance... 

...until these decisions are resolved the CPU-MMU interface cannot be 
released. With the cache hierarchy design disclosed herein, the 
overhead of detecting whether an existing pointer is being destroyed or 
new one is being created can be handled by the controller of the 
virtual address cache, i.e., the controller for the virtual address 
cache needs to support the Read-modi fy-write feature. The MMP. . . 

. . .Write instruction, the CPU-MMU interface is released, allowing the CPU 
to initiate a new access to memory. As explained later, in order to 
support this strategy of performance enhancement, it is necessary to 
employ the "write-through" policy for both caches . 

There are two policies to keep the cache consistent with the backing. . 
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Claim 

syndication central 
server, 

Figure 6A is an illustration of a web page used to post 
policy information for those policies offered in 
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syndication. 

Figure 6B is an illustration of a web page used to 
submit orders for syndication of a policy , 
Figure 6C is an illustration of a web page used to 
confirm an investor's order , 

Figure 7 is a block diagram illustrating the credit 
card issuing bank server, 
Figure BA. . . 

.bank 
server, 

5 Figure 9 is a flowchart describing the process by which 
an insurance policy is offered in syndication by 
posting on the syndication website, 
Figure 10 is a flowchart... 

.an investor visiting the syndication website 
initiates a purchase of a portion of an insurance 

policy offered in syndication. 
Figures 11A and 11B are connected flowcharts describing 
the process by which the insurance syndication service 
central server processes an order placed by an 
investor. 

Figure 12 is a flowchart describing the process 
executed by the insurance company central server when 
the syndication central server processes an investment 
order , 

Figure 13 is a flowchart describing the process by 
which the insurance company server processes a premium 
payment for a policy offered in syndication, 
Figure 14 is a flowchart describing the process by 
which the insurance company server processes a claim on 
a policy offered in syndication. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
An overview of a preferred embodiment... 

.Figure 1, one or more insurance 

companies, each having an insurance company server 110, 

transmits policy information 101 relating to a policy 

or policies being offered in syndication to an 

5 insurance syndication service central server 120, The 

means for determining whether or not the policies 

should be offered in syndication is established by each 

insurance company and is a matter of risk management 

for the respective companies . The insurance company 

server transmits the policy information 101 via a 

network 100 such as the Internet, The syndication 

service central server 120 makes the policy information 

101, together with syndication information 102, 

available for viewing by visitors to a syndication ... through 

conventional user interface 140, At the website 130 

are listings of all insurance policies which are 

offered in syndication, The user browses the various 

policies and picks one or more he is interested in as 
an investment, Using the conventional interface 140, 
the user enters his investment order 103; the order 
includes the policy number, the amount of the policy 
the user wishes to invest in, the terms of investment 
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(time period, etc,), and other... 
.and 

personal information, including his electronic mail 
(lie-mail") address, He then directs his investment 
order , including the information he has entered, to be 
transmitted to the insurance syndication service 
central . . . 

. the Internet, 

The syndication central server 120 receives the user 
investment transaction information 104 including: 
policy number, amount of policy purchased in 
syndication, user information, credit card type and 
number, and expiration date, The syndication. . . 

. unused 

credit line for the amount of risk assumed in 
purchasing the segment of the policy . The credit card 
transaction request 105 is transmitted to a server 150 
maintained by the. . . 

. syndication 

central server 120 that the amount has been frozen for 
the term of the policy investment. (It should be noted 
that credit line freezes are usually for a maximum of . . . 

.account with that 

bank, the bank immediately notifies the insurance 
agency and the terms of policy investment are canceled 
immediately, 

The syndication central server 120, having received the 
verification 106 of. . . 

.35 receipt 107 to the investor, using the e-mail address 
provided with the investment order . This receipt is 
- 12 

then available to the user (investor) 141 in printed 
form by . . . to be 

paid to each investor, The appropriate portion of the 
premium received from the policy holder is sent via 
mail or electronic transfer to the user (investor) 141 
on a . . . 

.as established in the terms of the 
investment, 

When a claim is filed on the policy offered in 
syndication, the insurance company, after determining 
that the claim is valid, accesses the syndication 
information in the databases 115 and extracts the 
appropriate credit line information for all members in 
the syndicate for that policy , The company then draws 
on the credit line of each investor's credit card for... 

.percentage of the amount paid out by 

the company based on the percentage of the policy owned 
in syndication, The credit card issuing bank server 
150 receives data 109 regarding this... 
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.issuing bank notifies the syndication 
service, which subsequently cancels the investor's 
stake in the policy , The service then notifies the 
insurance company and the databases 115 and 125 are 
35 updated accordingly to reflect the new inventory, 
premium, and syndication information. 

This arrangement described above is preferable when a 

policy or group of policies is offered by a plurality 
of insurance companies, The syndication service then 
functions as a clearinghouse for the various policies 
5 offered and various investor orders , Alternatively, 
the system may be implemented by a single insurance 
company, in which case the. . . 

.The server has a 

Central Processing Unit (CPU) 201, to which are 
connected a Random- Access Memory (RAM) 202, Read-Only 
Memory (ROM) 203, cryptoprocessor 204, communication 
port 205 and data... 

.a Pentium. 

microprocessor manufactured by Intel, Inc, 

The data storage device 210 includes several databases: 

policy holder database 310, policy database 320, 
syndication (by policy ) database 330, investor (by 

policy ) database 340, issuing bank database 350, claims 
5 database ...each 

of these databases is shown in tabular form in Figures 
3A-3H, respectively, , 

The policy holders of the insurance company are listed 
in the policy holder database 310. As shown in Figure 
3A, each policy holder has an ID number 311, associated 
with which are various items of personal information 
(name 312, address 313, phone number 314, Social 
Security number 316 and birthdate 317), The number of 
active policies 315 held by each policy holder is also 
listed. 

The fields of the policy database 320 are shown in 
Figure 3B, Each policy , identified by a policy number 
327, has a separate entry which also includes the 

policy holder ID number 311, the type of coverage 321, 
the extent of coverage 322, the. . . 

.the number of claims pending 328, 

Figure 3C shows the fields of the syndication (by 

policy ) database 330, This database has a separate 
entry for each policy in syndication, listing 
information regarding the syndication status of that 

policy , An entry includes the policy number 327, the 
amount of risk 331 assumed in syndication of the policy 
(that is, the amount that has been offered for 
syndication, which may or may not... 

.amount of risk 332 borne by 

the underwriter (that is, the insurance company issuing 

the policy ) , the number of premium payments made 

to-date 333, total number of premium payments to be 
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paid during the life of the policy 334, the number of 
investors in the syndicate 335 (that is, the number of 
5 persons who have invested in syndication of that 

policy ) , the expiration date 336 of the policy , and the 
number of claims pending 328, 

Figure 3D shows the fields in the investor (by policy ) 
database 340, In this database, an individual policy 
may have multiple entries, one for each investor in 
that policy . An entry thus has the policy ID number 
327 and an investor ID number 341, Associated with the 
ID numbers are the amount of risk 342 under the policy 
assumed by the investor, the percentage of the risk 343 
under the policy assumed by the investor, the amount 
344 of the premium on that policy received by the 
investor from each premium payment, the percentage 345 
of the premium received. . . 

.number 346 and credit card type 347 used by the 
investor in connection with that policy , the amount of 
credit 34 8 on the credit card account which has been 
frozen, the. . . 

.349 of the credit freeze (which may 

or may not correspond to the length of policy coverage, 

depending on the terms of the investment) , and the name 

of the credit card. .. identified by a claim number 361, Each 

entry in the claims database also includes the policy 

number 327 of the policy under which the claim was 

5 filed, an indication 362 whether the policy has been 

offered in syndication, the number 335 of investors in 

the syndicate for that policy , and the amount of risk 

331 assumed in syndication. 

Figure 3G shows the fields in. . . 

.database 380, Each entry corresponds to an investment 
by a particular investor in a particular policy . The 
policy is identified by the policy number 327, The 
investor is identified by name 481, Each investor name 
has associated therewith. . . 

.Each 

entry also includes the premiums to be paid 334 to the 
investor on the policy , the payment plan 326, and the 
length 349 of the investor's syndication contract 
relating to the policy , 

A schematic illustration of the syndication service 
central server 120 is given in Figure 4... 

.an e-mail storage device 406. The data storage device 
410 includes several databases 125: policy database 
420, syndication (by policy ) database 430, investor (by 
policy ) database 440, investor (by name) database 480, 
issuing bank database 450, claims database 460 and 
transaction database 470, 

The data in the policy database 420, syndication (by 

policy ) database 430, investor (by policy ) database 
440, issuing bank database 450, claims database 460 and 
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transaction database 470 of the syndication central 
server 120 has the same arrangement as the data in the 
corresponding policy database 320, syndication (by 
policy ) database 330, investor (by policy ) database 
340, issuing bank ...and 

transaction database 370 of the insurance company 
server 110, Accordingly, the structure of the policy 
database 420, syndication (by policy ) database 430, 
investor (by policy ) database 440, issuing bank 
database 450, claims database 460 and transaction 
database 470 is as already described in Figures 3B 
through 3G, respectively, Where insurance policies 
having data in server 110 are offered for syndication 
using server 120, the policy records will be 
substantially identical in the corresponding databases, 
Figure 5 shows the structure of . . . 

...485c, If 

5 the investor has used more than one credit card to 
place investment orders , additional fields 486, etc, 
having the same structure as field 485 are included for 
each of the additional cards, 

Figure 6A shows an example of a posting 600 of policy 
information 101 with syndication information 102 on the 
syndication website 130, The posting includes the 
underwriter name 601, the type of coverage 321 and the 

policy number 327, Also included is the percentage of 
the total risk offered for sale in... 

. . .date of 

coverage 325, The user 141 can view a more complete 
description of the policy by clicking box 608, or 
proceed to place an investment order by clicking box 
609, 

Figure 6B is an example of a web page 620 filled in by 
a user (investor) 141 to submit an order for a 
syndicated portion of a policy , The investor enters 
his name 481, postal mailing address 482, phone number 
483, e-mail... 

. . .485 

(including the credit card type and number, issuing 
bank and expiration date) on the order form, This 
information is added to the investor (by name) database 
480 of the syndication central server, The policy 
number 327 and monthly premium 603 are copied from the 
display 600 of the policy information, The investor 
indicates the percentage 343 of the total risk 331 he 
wishes to . . . 

...length of credit freeze 349), and 

5 then clicks box 621 to submit his investment order , 
Figure 6C is an illustration of a web page which serves 
as a confirmation 630 of an investor's order , The 
confirmation form may include the investor ID number 
341 assigned by the syndication service, the investor's 
name 481, the investor's credit card type and number 
485a, the policy number 327, the monthly premium 603, 
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the amount of risk 631 assumed by the investor... 
. .the 

cardholder's name 721, address 722, phone number 723, 
date of birth 724, Social Security number 725, and the 
5 credit card account number 726, 
Figure 8B shows the f ields . . . in the 

figure is of a credit line freeze performed when an 
investor places an order with the syndication service. - 
In the practice of this invention, cryptographic 
processing of the... 

. receives 

confirmation that he has assumed a portion of a risk 
with respect to a policy , he should not be able to deny 
that he accepted the risk when faced with a claim under 
the policy ; accordingly, the system requires that his 
investment order be authenticatable and non-repudiable, 
The cryptoprocessors 204, 404 and 704 can be general 
purpose . . . 

.well as various 
combinations thereof . 

The degree of cryptographic processing depends on the 
degree of security that is desired, For example, where 
the primary concern is integrity of the investment 
amount. . .be used to insure 

non-repudiation of acceptance of a risk associated with 
a given policy . 

The operation of the system of the present invention 
5 according to the preferred embodiment. . . 

.the flowcharts shown in Figures 9-14, 

Figure 9 shows the process by which a policy is offered 
in syndication by posting on the syndication website 
130. The insurance company reviews the policies it has 
issued to determine which policies should be offered in 
syndication, and transmits information regarding those 

policies to the syndication service for posting on the 
website, Specifically, the central controller 201 of 
the Internet 100, In step 1002, the user browses the 

policy information on a policy by policy basis (the 
information for each policy being displayed as shown in 
Figure 6A, for example) . The user decides to purchase 
a portion of a specific insurance policy in syndication 
(step 1003), and then links to the insurance 
syndication order form (step 1004) via the insurance 
syndication service homepage (for example, by clicking 
on the box 609 appearing with the display 600 of 
information for that policy ) . 

The user enters his personal information on order form 
620 (step 1005) . As discussed above with reference to 
Figure 6B. this information may. . . 

. expiration 

date 485, and e-mail address 484, The user also enters 
information regarding the policy in which he wishes to 
invest (step 1006) . This information may include the 
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policy number 327, the portion 343 of the risk he 
assumes in syndication, and the length. . . 

.is, the duration of the 

credit freeze 349) . The user then clicks the "submit 
- 24 

order 11 box 621 (step 1007) which causes the information 
to be encrypted and transmitted to the... 

.prompted with a response 

5 date within which he will receive confirmation of the 
syndication contract , Alternatively, if credit can be 
verified in real time, an immediate confirmation will 
be provided. . . 

.flowcharts, show the steps executed by the syndication 
central server 120 in processing an investment order 
103 

In step 1101, the syndication central server 120 
receives and decrypts the transmission from a new 
investment record containing the personal information 
and investment ordering information entered by the user 
in steps 1005 and 1006. This record is stored in... 

.line for the 

amount of risk assumed by the user in syndication of 
the specific policy for the designated amount of time 
(step 1104) , 

The credit card issuing bank server 150 accesses the 
cardholder database 720 and account database 730 and 
determines the existing unused credit line... 

.investor is not previously 

known; the server also adds a record to the investor 
(by policy ) database 440 to reflect the information 
entered by the investor previously in steps 1005 and. . . 

.to the transaction database 
470o 

Based on the user-specified terms entered in the 
investment order , the server calculates the dollar 
amount of the risk assumed and the dollar amount of . . . 

.premiums to be received by the investor and stores 
these amounts in the investor (by policy ) database 440 
(step 1123) , 

The server also updates the record in the syndication 
(by policy ) database 430 for the policy (step 1124) . 
Specifically, the server decrements the amount of 

outstanding risk, increments the number of... 107 of the investment 
to the user via the e-mail address provided on the 

order form. Finally, in step 1127, the syndication 
central server encrypts and transmits the updated 
syndication. . . 

. is 

processed by the syndication central server 120. In 

step 1201, the insurance company central controller 201 
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receives and decrypts the transmission from the 
syndication central server sent in step 1127... 
.by the 

syndication central server 120, Specifically, the 
insurance company server updates the syndication (by 

policy ) database 330 (step 1202), adds a record to the 
investor (by policy ) database 340 (step 1203), and adds 
35 a record to the billing/payment database 380... 

.by the insurance 

company server 110 in this embodiment when processing 
premium payments on a policy , In step 1301, the 
insurance company receiv 

es a monthly premium check in a 
certain. . . 
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Detailed Description 
... recent usage. 

In one optional embodiment, the nodes of the network are organized into a 

hierarchy of groups. In this embodiment, the memory subsystems 
232a-232c can include a hierarchy 1 5 manager that provides 
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hierarchical control for the distribution of data. This includes 
controlling the migration controller , and policy controller , which 
are discussed in detail below, to perform hierarchical data migration 
and load balancing, such that data migrates primarily between computers 
of the same group, and passes to other groups in hierarchical order . 
Resource distribution is similarly managed. 

FIG. 7 illustrates in more detail one shared memory subsystem. . . 
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Detailed Description 
recent usage. 

In one optional embodiment, the nodes of the network are organized into a 

hierarchy of groups. In this embodiment, the memory subsystems 
232a-232c can include a hierarchy manager that provides hierarchical 
control for the distribution of data. This includes controlling the 
migration controller , and policy controller , which are discussed in 
detail below, to perform 5 hierarchical data migration and load 
balancing, such that data migrates primarily between computers of the 
same group, and passes to other groups in hierarchical order . 
Resource distribution is similarly managed. 
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FIG. 7 illustrates in more detail one shared memory subsystem. . . 
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Detailed Description 
recent usage . 



In one optional embodiment, the nodes of the network are organized into a 

hierarchy of groups. In this embodiment, the memory subsystems 
232a-232c can include a hierarchy manager that provides hierarchical 
control for the distribution of data. This includes controlling the 
migration controller , and policy controller , which are discussed in 
detail below, to perform 1 0 hierarchical data migration and load 
balancing, such that data migrates primarily between computers of the 
same group, and passes to other groups in hierarchical order . 
Resource distribution is similarly managed. 

FIG. 7 illustrates in more detail one shared memory subsystem. . . 
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-dustrial plant. This is similar to what the 
human nervous system does . . . 
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Claim 

... an alternative parsegraph within a recursive call to 

the toplevel to enforce a particular interaction sequence with a 
user. Referring now to Figures 3 and 3a-3d, an icon is def ined. . . f or 
specific operations such as the creation of 

temporary icons and the management of non- hierarchical crosslinks 
that are available in the interface but may not be available in 
the underlying. . .They are deleted from the Icon. list when a 
change-directory 
command executes . 

Alternatively the policy could be to delete these icons at startup 
time - i.e. to clear the field... 

...type - one of DIR or FILE 

icon. crosslink? r If TRUE, this is a non- hierarchical link In the 
Interface and does not reflect the structure of the underlying file 
system. . . 

. . . list of 

references to file objects which the user wishes to collect and 
have immediate access to during a session. 
The User-Level Command Scripts 

Information about the user-level commands ... animation to a user-level 
command, 
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enables cursor tracking, and enables calibration with other 
animation sequences so that animation sequences can be appended 
to one another while maintaining smooth motion. Information 
about how an icon ... technique for 

animation calibration which is discussed below in the section 
entitled "Internal Proceduresw, 
System Control Data Structures 

The following data structures are used for system control 
and sequencing of basic execution units. 

Input signal mapping is stored in a data structure referred 
to generally as keycodsgrammer . This is a finite grammar that 
associates each valid input sequence with a keycode-identical 
set. In the preferred embodiment, this declarative 
representation is used by. . . 
.standard type of lexical parser to 

return the appropriate conmi and. . class given any valid input 

sequence . The following information is contained in 
keycode . grammer : 

keycode.grammerAnpuLsequence rstring with coding dependant on... 
.In the 

presently preferred embodiment, the parsegisph is a finite state 
machine that records valid sequences of user-level commands . 
This is used to place restrictions on certain combinations of 
commands, particularly in nested animation sequences that are 
used to obtain specific kinds of information from a user (see 
the parse. . .system. In the presently preferred embodiment, cormiand 
invocation is button-based using the game pad controller 
described above. Each command is associated with a small number 
of input keys which are either pressed together or in sequence . 
Each command is made up of a single basic execution unit which 
includes a prologue. . . 

.presently preferred embodiment, a number of commands 

can be associated with identical signals (or signal sequences ) 

from an input device such as a keyboard and mouse, a gamepad 

controller , or an infrared remote controller . When more than 
one command is assigned to a single user input (or sequence of 
inputs), the commands are uniquely distinguishable by the 
existence of arguments, the type of... the 

commands in a keycode-identical set are assigned to the same 
input signal or sequence of input signals, input signals from 
the input device are parsed to return the keycode... 

.detailed descriptions of commands are 

illustrative of the type of commands and style of animation 

sequences that are provided by the invention. Other commands 
and/or animations can be substituted for. . . 
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Detailed Description 
... is 

said to hold modified or dirty data, In write-back 
cache systems, the cache controller is required to 
watch or "snoop" the host bus during cycles by other 
bus masters . . . 

...described below, 

Cache management is generally performed by a 

device referred to as a cache controller . A principal 

cache management policy is the preservation of cache 

coherency, Cache coherency refers to the requirement 

that any valid. . .modified location in a write-back cache, 

In computer systems where independent bus masters 

can access main memory, there is a possibility that a 

bus master, such as another processor, or a direct 

memory access controller , network or disk interface 

card, or video graphics card, might alter the contents 

of a . . . 

. . .or invalid data, Problems would 

result if the processor inadvertently obtained this 
invalid data, In order to maintain cache coherency, it 
is necessary for the cache controller to monitor the 
host bus when the processor does not control the host 
bus to see if another bus master accesses main memory. 

This method of monitoring the bus is referred to as 
snooping. 

The cache . . . 
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Claim 

the media 
key, 

6 A system according to claim 3 further 
comprising: 

the crypto media controller also for (1) 
receiving a user PIN from a personal keying device from 
a user seeking access to an initialized unit of media 
under control of the crypto media controller ; 
storage search logic in the crypto media 

controller for (1) reading the initialized unit of media 
and. extracting the media UID, , (ii) searching the storage 
in the personal keying device and extracting the 
enciphered media key/ access vector pair for the media 
UID and passing it to a key management crypto in the 
crypto media controller ; 

the key management crypto for (i) fetching the 
user UID from the personal keying device... 

...PIN, and the enclave key to form a combined key 

to decrypt the media koy/ access vector pair, and passing 

the extracted media key to a data crypto and the access 

vector to the access control logic; 

the data crypto for deciphering data on a unit 

of media using the media key and passing it to the 

access control logic, the data deciphered in response to 
15 a read or write request for the data by the Workstation; 
the access control logic for controlling 
whether the desired mode of access is permitted based on 
the access vector and the device attributes contained 
within the crypto media controller , and aborting the 
attempted access to the data if the access is not 
permitted and otherwise permitting the access whereby 
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data is transferred to a Workstation for processing; and 
the crypto media controller including logic for 
25 causing a complete reset of the crypto media controller 
and requiring the keying process to be started from the 

beginning in the event that ...or the unit of media is removed from the 
o A data enclave method for securing data carried 
on physical units of fixed and removable media in a 
network including a... 

, .to 

which a user UIDhas been assigned, and using them 
represent the privileges and other security related 
information that pertains to each user; 
(h) providing a media key for each unit. . . 

.a media UID has been 

assigned, and using them to represent the sensitivity or 

other security related information that may pertain to 

the data carried on the units of media; 

(k) providing an access vector associated with 

each media key to form media key/ access vector pairs, 

storing them in the personal keying devices, and using 

them to represent the possible conditions of access to 

the data encrypted on the media for the user assigned to 

the personal keying device holding the media key/ access 

vector pair or pairs, and forming the access vector 

using the corresponding media attributes and user 

attributes, and a set of access rules ; 

(1) storing the media key/ access vector pairs 

in the personal keying devices enciphered with a 

combined key including the userfs... 

. enclave key; 

(m) providing device attributes for each 
attributes of the workstations; an 

(n) providing access control logic in each 

5 crypto media controller for restricting access to the 

data on the media based on the user's PIN, the access 

vector and the device attributes for the Workstation 

from which access is attempted. 

8e A method according to claim 7 further 

comprising the steps of: 

(a) providing key management crypto logic in 
each crypto media controller or (i) receiving a 
requesting user's PIN from a personal keying device, 

(ii) receiving . . . 

.indexing the user attribute data base 

with the user UID to extract the set of security 

attributes pertaining to the requesting user and passing 

the security attributes to security policy logic in the 

server; 

(d) the security policy logic accepting the 
media attributes and the requesting userts security 
attributes and, using a set of rules and/or under the 
direction of a system administrator, computing a new 
access vector which defines limits on the access the 
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requesting user will have to the new unit of media; 

(e) the key management... 

. key for the new unit of 

mediar and (ii) and enciphering the new media key/ access 
vector pair formed with the new media key and new access 
vector with a combined key including the user UID, the 
25 user PIN and the... 

.the first packet was received; and 

(h) providing storage-search logic in the 

crypto media controller for (i) receiving the new media 
UID and writing it to an appropriate location on. . . 
. new 

unit of media and (11) storing the second packet 
containing the new media key/ access vector pair in the 
personal keying device attached to the Workstation using 
the new media. . .further 
comprising the steps of: 

(a) providing key management crypto logic in 

each crypto media controller for (i) receiving a 

requesting user's PIN from a personal keying devicet 

(ii) receiving. . . 

. an 

initialized unit of media and searching the personal 
keying device for a media key/ access vector pair for the 
initialized unit of media for the requesting user using 
the user. . . 

.encrypting the first 

packet with the enclave key, and (iii) sending the 
packet to the security server over the network; 

(c) providing key management crypto logic in 
the server for decrypting. . . 

.UID, and the media UID 
and the request; 

(d) providing storage search logic in the 

security server for (i) reading a user attribute data 
base stored in the server using the... 

.user attribute data base using the 

user's PIN as an index and extracting the security 
attributes of the requesting user, and (v) passing the 

security attributes to security policy logic in the 
server; 

(f) the security policy logic receiving the 
security attributes and computing a new access vector 

which defines limits on the access the user may have to 
the initialized unit of media, the new access vector 
computed using a set of rules and/or with the 
intervention of a system administrator; 

(g) the storage search logic also. . . 

. f inding 

an enciphered key packet in a crypto key data base held 
in the security server which has been previously stored 
and which contains the media-key for the initialized. . . 
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...is found extracting 

the media key from it, and (1111 forming a new media 
key/ access vector pair with the extracted media key and 
the new access vector, and a new key packet including 
the new media key/ access vector pair, the user UID, and 
the media UID, and placing the new key packet... 

...base for archival purposes; 

(h) the crypto key logic also enciphering the 
new media key/ access vector pair with a combined key 
including the-user UID, the user"s PIN, and the enclave 
15 key, and transmitting the enciphered packet along the 
network to the cryptomedia controllers and 

(1) the crypto media controller using the 
media UID as-an index to store the new media key/ access 
vector pair in the personal keying device from which the 
user's PIN was entered... 

...media key, and has physical possession of theunit. of 
media controlled by a crypto media controller containing 
the enclave key, the access of the user further being 
restricted by the access vector paire with the media 
key, 

108 A Method according to claim 7 further 
comprising the steps of: 

(a) the crypto media controller also (J-) 
receiving a user PIN from a personal keying device from 
a user seeking access to an initialized unit of media 
under control of the crypto media controller ; 

(b) providing storage search logic in the 

crypto media controller for (i) reading the initialized 
unit of media and extracting the media UID, (ii) 
searching the storage in the personal keying device and 
extracting the enciphered media key/ access vector pair 
for the media UID and passing it to a key management 
crypto in the crypto media controller ; 

(c) the key management crypto (i) fetching the 
user UID from the personal keying device... 

...PIN, and the enclave key to form a combined key 

to decrypt the media key/ access vector pair, and passing 
the extracted media key to a data crypto and the access 
vector to the access control logic; 

(d) the data crypto deciphering data on a unit 

of media using the media key and passing it to the 

access control logic, the data deciphered in response to 
a read or write request for the data by the Workstation; 

(e) the access control logic controlling 

whether the desired mode of access is permitted based on 
the access vector and the device attributes contained 
within the crypto media controller , and aborting the 
attempted access to the data if the access is not 
permitted and otherwise permitting the access whereby 
data is transterred to a Workstation for processing; and 

(f) providing logic in the crypto media 

controller for causing a complete reset of the crypto 
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media controller and requiring the keying process to be 
started from the beginning in the event that... 

.from the Workstation. 

ill A trusted path system for communication between 
a Workstation and a secure computer over a untrusted 
communication medium, comprising; 

a logic and control unit in the Workstation and 
in the secure computer; 

an end-to-end authentication token exchange 

protocol used to assure the logic and control unit in 

the Workstation is communicating with an authentic logic 

20 and control unit in the secure computer, ...into t interaction 

between 

next time a legitimate transaction is received by a 
logic and control unit; 

a cryptographic checksum protocol used to 

assure transactions between the logic and control units 
have not been tampered with, the checksum protocol 
authenticating single transactions between the 

sequences of transactions; and 
an identification and authentication protocol 
invoked when a user wishes to interact with the secure 
computer for some period of time, using the keyboard and 
display of the Workstation and. . . 
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